WordPress Plugin Vulnerabilities

WP Virtual Assistant <= 3.0 - Missing Authorization

Description

The WP Virtual Assistant plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
VirtualAssistant
No known fix

References

CVE
CVE-2025-60155
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/b2f9203f-15c7-4179-86ef-44b0e2788b3c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
João Pedro S Alcântara (Kinorth)
Verified
No
WPVDB ID
1608b252-4bf5-4efc-a085-2c12c3759498

Timeline

Publicly Published
2025-09-26 (about 7 months ago)
Added
2025-09-29 (about 7 months ago)
Last Updated
2025-09-29 (about 7 months ago)

Other

Published
Title
Published
2025-12-05
Title
MultiParcels Shipping For WooCommerce < 1.30.13 - Missing Authorization
Published
2024-11-28
Title
Smart Marketing SMS and Newsletters Forms < 5.0.5 - Missing Authorization
Published
2023-11-20
Title
Contact Form to Any API < 1.1.7 - Subscriber+ API Entry Record Deletion
Published
2026-01-20
Title
Scalenut <= 1.1.3 - Missing Authorization
Published
2025-04-09
Title
WooCommerce Multilingual & Multicurrency < 5.3.9 - Unauthenticated Tax Sync Settings Update